<html>
<body>
Reports calls to <code>java.sql.Connection.prepareStatement()</code>, <code>java.sql.Connection.prepareCall()</code>, or any of their
variants which take a dynamically-constructed string as the statement to prepare.
<p>
  Constructed SQL statements are a common source of
  security breaches. By default, this inspection ignores compile-time constants.
</p>
<p><b>Example:</b></p>
<pre><code>
  String bar() { return "bar"; }

  Connection connection = DriverManager.getConnection("", "", "");
  connection.("SELECT * FROM user WHERE name='" + bar() + "'");
</code></pre>
<!-- tooltip end -->
Use the inspection settings to consider any <code>static</code> <code>final</code> fields as constants. Be careful, because strings like the
following will be ignored when the option is enabled:
<pre><code>
  static final String SQL = "SELECT * FROM user WHERE name='" + getUserInput() + "'";
</code></pre>
</body>
</html>